An vulnerability found in billions of Universal Plug and Play devices allows attackers to steal data, scan networks and potentially cause a network to participate in the distributed denial-of-service attack, named as CallStranger
The vulnerability can be used to target any UPnP device, though home users are not expected to be targeted directly. Internet service providers are particularly at risk, along with enterprises.
The CallStranger site recommends that ISPs ask vendors to update devices open to the vulnerability, while device vendors should patch devices if they have not done so already. The site recommends that enterprises should take their own actions, including a variety of mitigation actions depending on their circumstances.
Recommended actions include closing UPnP ports is there is no business need; blocking all SUBSCRIBE and NOTIFY HTTP packets in traffic; disable UPnP services in IP cameras, printers, routers and other devices on intranets if it’s not a business requirement; and considering not placing unsecured UPnP devices on their network.
“UPnP was effectively designed from the ground up without security,” Craig Young, computer security research for Tripwire Inc.’s vulnerability and exposure research team, told SiliconANGLE. “Although applications can staple on authentication, in most cases all requests from the local network are just trusted.”
What’s worse, is that these devices rarely employ protections against cross-site attacks and a malicious website can leverage UPnP services to manipulate and even compromise remote devices. “The best course of action when it comes to UPnP is to simply turn it off,” he said.
Explaining the technical side“the SUBSCRIBE method in UPnP allows nodes on the network to register a URL to receive callbacks as specified conditions are met. The problem described by the CallStranger vulnerability is that this callback URL is not restricted to the local network. An attacker could leverage the millions of UPnP devices improperly connected to quickly direct large volumes of traffic to DDoS targets.”